Hi everyone, I'm running a w2k3 and I need to audit success on files on a specific folder ... I activated auditing for the everyone group on this folder, and started to watch my logs ... I want to know exactly what user are doing with this files ( if they are opening, or working )... After some researches, it seems that 2k3 cant tell exactly what people are doing ... but 2K8 can ... I understand how the 560 Event ID works. Dont seem to be very accurate ... here are my doubts ! Can you tell me if I'm right or not ?! I check the handle ID too... but it seems to be linked with the application that opens a file ... or not ... or randomly generated .. couldn't find any answer for this question of mine ! Well, that's it ! thanks all !

Hi, Based on my test, Windows 2k3 records exactly what people are doing. Please refer to the following Windows 2k3 record. If you didnt get this event, it may because policy "Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit object access" was not configured. Enable this policy and test. For your reference: Audit object access http://technet.microsoft.com/en-us/library/cc776774(WS.10).aspx Event Type: Success Audit Event Source: Security Event Category: Object Access Event ID: 560 Date: 6/1/2009 Time: 4:40:10 PM User: GT\administrator Computer: GTDC02 Description: Object Open: Object Server: Security Object Type: File Object Name: C:\newsid Handle ID: 1268 Operation ID: {0,8119592} Process ID: 2468 Image File Name: C:\WINDOWS\explorer.exe Primary User Name: administrator Primary Domain: GT Primary Logon ID: (0x0,0xA0674) Client User Name: - Client Domain: - Client Logon ID: - Accesses: SYNCHRONIZE ReadData (or ListDirectory) Privileges: - Restricted Sid Count: 0 Access Mask: 0x100001 For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Thanks. This posting is provided "AS IS" with no warranties, and confers no rights.

Hi, I tried to configure audit policy as you said and received log exactly like yours. But my question is how could we know if user delete or copy files/folder or not. I tried to delete files and open file but the Accesses is ReadData for both actions. So how could we identify what user do if there's no difference between open or delete. One more question: what's meaning of Access Mask.

these ReadData and Delete are requested access permissions when the file handle is being opened. This has nothing to do with the actual actions that take place after the object has been opened.The fact, that the object has been sucessfully deleted will appear later as a separate success audit log entry saying something like Object Deleted, just look into the log.ondrej.

Thanks for your answer, I have one more question: is there any way or tool for totally monitoring file server. My company is having serious security issue. Thanks in advance

You can use SCOM (System Center Operation Manager) or MOM2005 for this. They are the same but SCOM is the newest version of MOM2005. With both, versions you will be able to monitor these events and sent an alert (via email for example) when they are detected.

Thank you very much. You've got my vote.